Limit the maximum BGP AS-path length

From CT3

BGP allows numerous attributes (including AS-path, metrics, local preference and communities) to be attached to every advertised IP prefix. The total length of BGP attributes attached to a single IP prefix can be very large (up to 64K bytes). IP prefixes with excessive amount of attribute data residing in the BGP table can results in significant memory utilization and trigger software bugs.

AS-path attribute having more than 255 AS numbers is expressed as multiple AS_SEQUENCE segments. This unusual AS-path composition is not handled properly by any Cisco IOS release up to (at least) 12.2SRC and 12.4T and results in continuously flapping BGP session. The hard-coded AS-path length limit (see below) avoids this behavior unless the route-map based AS-path prepending extends the AS-path length beyond 255 AS numbers.

The extended length bit in the BGP UPDATE message that has to be used when the AS-path length exceeds 128 AS numbers causes errors in older IOS releases (Cisco bug ID CSCdr54230).

Cisco IOS can limit the maximum length of the AS-path attribute with the bgp maxas-limitlength router configuration command. It’s highly advisable that you use this command to reduce the impact of oversized AS-path attributes to the operation of your network. Without the bgp maxas-limit command, Cisco IOS will accept all inbound IP prefixes, but mark the paths where the AS-path lenght exceeds 254 AS numbers as invalid (CSCeh13489). These paths are entered in the BGP table but not used.

The maximum sensible length of the AS-path attribute depends on your position within the Internet. Core operators observe lower AS-path lengths than the edge points. Due to CSCdr54230, you should not accept AS-paths having more than approximately 100 AS numbers; reasonable values are usually much lower.

Configuring the bgp maxas-limit command does not impact the regular BGP operation. The maxas-limit is checked during the inbound update processing. Prefixes with oversized AS-path length are simply ignored; BGP sessions are not disrupted.

Exception logging

The bgp maxas-limit functionality does not impact the regular BGP operation. Whenever an inbound BGP update is received with an oversized AS-path attribute, the router logs a warning message and ignores the update.

Log message generated after an inbound update has been ignored

%BGP-6-ASPATH: Long AS path 65000 65000 65000 65000 65000
received from 10.0.7.13: More than configured MAXAS-LIMIT

The AS-path length limiting functionality can also be observer with any of the debug ip bgp update commands. A sample printout is included below: